In LDB, some values are redacted during debug prints. The priorSecret value should also be included in that for secrets.ldb database.
Fixed in Samba 4.9 and later by: commit 6a09162df6bd38098253b50a7ac32bfdc8dbf9d4 Author: Aaron Haslett <aaronhaslett@catalyst.net.nz> Date: Tue May 1 11:10:40 2018 +1200 ldb: removing prior secret from logs priorSecret, like secret, can contain a machine account password (for secrets.ldb) and so should not be printed in a debug trace. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13353 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>